Time to retire Social Security numbers?

Stephen Coggeshall, chief analytics and science officer, LifeLock

Published 2:19 PM ET Thu, 14 Aug 2014
CNBC.com

Another day, another threat of identity theft. Or so it seems.

Some blame retailers for not doing enough to protect customer information from data breaches. Many say computer and software companies are at fault. Still others point to the Internet and the realities of our all-digital lifestyle.

Nick M. Do | E+ | Getty Images

But the root of modern identity theft in America can be traced back well before 1995, when Amazon sold its first book, or even 1958, when the first universal credit card was issued by a bank. In fact, we can pinpoint the exact date: Dec. 1, 1936, the day John D. Sweeney, Jr. of New Rochelle, N.Y., was assigned the first Social Security number.

While attention has been rightfully focused on credit-card fraud in the wake of data breaches at major retail stores, one of the most damaging kinds of identity fraud doesn't begin with a credit card. It starts with a stolen Social Security number (SSN), giving sophisticated rings of thieves access to one's personal identity.

The most recent report by the U.S. Bureau of Justice Statistics pegs the annual cost of identity theft to Americans at nearly $25 billion – $10 billion more than all cases of motor vehicle theft, burglary and theft combined. A pilfered personal identity package, including an SSN, costs about the same on the black market as a large latte, providing a pretty good indicator of how easy they are to monetize.

Social Security numbers were originally issued to allow the federal government to track tax contributions to the nation's new retirement system. But over the past 80 years, the SSN has morphed into a near-universal way to authenticate identity. Americans today are routinely asked to confirm their identities by doling out their SSNs when they apply for a mortgage, check into a hospital, or register for the SAT.

To be fair to the Social Security Administration, SSNs were never intended to serve this purpose. In fact, by 1946, Social Security cards came printed with this specific admonition: "Not For Identification." Yet as the use and misuse of SSNs has multiplied, so has identity fraud.

Modern transactions require the successful completion of two tasks: identification and authentication. We need to identify who we are and verify we are who we say. At an ATM machine, our debit card identifies us as the owner of a specific account, while our PIN verifies that identity. When we sign into a website, our username identifies us, while our password verifies us.

The problem with SSNs today is that they're called on to perform both tasks. Once SSNs became ubiquitous as identifiers, they lost all their power as verifiers. A number that has never been more exposed — and was never intended to be a secret — is now supposed to be the secret confirmer of our identities.

So, how do we solve this problem?

First, we need to shed our outdated notion of identity. Modern identities aren't physical cards. They live digitally, not physically, and are vulnerable 24/7/365. While some Americans routinely monitor their credit reports, most devote little attention to monitoring the fraudulent use of their identities in ways that never show up on a credit report.

Second, we need to retire the SSN as an identifier and verifier. From a security standpoint, SSNs have been fatally compromised. According to our research, more than 15 million SSNs have been deliberately misused, and more than 8 million people have used two or more SSNs. Proposals to heap even more responsibility on SSNs — such as using your Social Security card in the voting process — are heading in the wrong direction. Businesses that use SSNs to identify consumers should move away from this practice and establish more secure ways to identify and verify their customers.

Third, we need a national discussion about identity protection. The government has a responsibility to drive conversation among regulators, consumer groups, businesses and the companies that provide identification and verification services. Ultimately, we need to reach agreement on ways to combine unique identification with independent methods of identity verification.

To guard against identity theft, one major news publication recently advised its readers to put away the debit cards and start using cash at gas stations, restaurants and stores. Before regressing to an all-cash or barter economy, we need to get out of the 1930s and into the 21st century when it comes to using SSNs to protect our identities.

Commentary by Stephen Coggeshall, the chief analytics and science officer at LifeLock. Coggeshall has spent his 20-plus year career leading scientists to build practical solutions to difficult business problems using advanced analytics.